On May 3, 2021, Ivanti issued a security update addressing highly critical security holes in its Pulse Connect Secure SSL VPN appliance. The flaws have been reportedly used by APT actors to target government agencies, critical infrastructure objects, and private firms across the U.S.
Pulse Connect Secure Vulnerabilities
According to the CISA security alert from April 20, 2021, several state-sponsored hacker groups have leveraged Pulse Connect Secure bugs in targeted cyber-attacks since June 2020. Actors used a recently disclosed critical authentication bypass flaw (CVE-2021-22893) to perform arbitrary code execution on the Pulse Connect Secure gateway. This bug was chained with older issues (CVE-2020-8243, CVE-2020-8260, CVE-2019-11510) to gain initial access and place webshells onto compromised networks.
Additionally, in May 2021, Ivanti disclosed three more flaws impacting Pulse Connect Secure Products. The first bug is a critical buffer overflow issue (CVE-2021-22894) that allows a remote authenticated actor to perform arbitrary code execution with the highest privileges. The second flaw is a critical command injection security hole (CVE-2021-22899) that enables remote code execution via Windows FIle Resource Profiles. Finally, the third bug is a multiple unrestricted uploads glitch (CVE-2021-22900) that provides authenticated admins the ability to perform a file-write via malicious archive upload.
Detection and Mitigation
Pulse Connect Secure versions 9.0RX and 9.1RX were found vulnerable, so users are urged to upgrade to 9.1R.11.4 version as soon as possible. The update addresses all flaws, including a notorious CVE-2021-22893 that was actively used by Chinese APT actors to target defense agencies in the U.S. Also, users are prompted to apply mitigation steps described in the latest advisory from Ivanti to ensure their protection from possible intrusions.
To enhance the proactive detection of ongoing cyber-attacks, users can also download a set of free Sigma rules released by the SOC Prime Team in cooperation with our active Threat Bounty developers. All content is directly mapped to the MITRE ATT&CK® framework and contains the corresponding references and descriptions:
Subscribe to Threat Detection Marketplace, a world-leading Detection as Code platform that aggregates 100K+ queries, parsers, SOC-ready dashboards, YARA and Snort rules, Machine Learning models, and Incident Response Playbooks mapped to CVE and MITRE ATT&CK frameworks. Our content base is enriched every day with a joint effort of 300+ seasoned security professionals from all over the world. Interested in SOC Prime’s threat hunting initiatives and want to monetize your cybersecurity skills? Join our Threat Bounty program!